113 lines
4.6 KiB
Diff
113 lines
4.6 KiB
Diff
|
From a3a91a8e85d7f05de3c85b0ae6ad1c80cf7c5b55 Mon Sep 17 00:00:00 2001
|
||
|
From: Alexander Scheel <ascheel@redhat.com>
|
||
|
Date: Tue, 17 Mar 2020 12:54:49 -0400
|
||
|
Subject: [PATCH 1/2] Remove token key checks
|
||
|
|
||
|
Previously we enforced strict token key matching: the primary key used
|
||
|
for the operation must strictly reside on the current PKCS#11 token,
|
||
|
otherwise JSS would bail. However, NSS has the ability to move the key
|
||
|
to whichever token best supports the given operation. This means that
|
||
|
we'd prematurely bail when the operation would succeed if it were
|
||
|
actually executed. By removing these checks, we still leave the ability
|
||
|
to generate keys on a specific token, we just allow them to be used on
|
||
|
whatever token supports the given operation (and the key is allowed to
|
||
|
be moved to).
|
||
|
|
||
|
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||
|
---
|
||
|
org/mozilla/jss/pkcs11/PK11Cipher.java | 4 ----
|
||
|
org/mozilla/jss/pkcs11/PK11KeyWrapper.java | 22 -------------------
|
||
|
org/mozilla/jss/pkcs11/PK11MessageDigest.java | 7 ------
|
||
|
3 files changed, 33 deletions(-)
|
||
|
|
||
|
diff --git a/org/mozilla/jss/pkcs11/PK11Cipher.java b/org/mozilla/jss/pkcs11/PK11Cipher.java
|
||
|
index 81b600a4..aac411a4 100644
|
||
|
--- a/org/mozilla/jss/pkcs11/PK11Cipher.java
|
||
|
+++ b/org/mozilla/jss/pkcs11/PK11Cipher.java
|
||
|
@@ -262,10 +262,6 @@ public final class PK11Cipher extends org.mozilla.jss.crypto.Cipher {
|
||
|
if( key==null ) {
|
||
|
throw new InvalidKeyException("Key is null");
|
||
|
}
|
||
|
- if( ! key.getOwningToken().equals(token) ) {
|
||
|
- throw new InvalidKeyException("Key does not reside on the "+
|
||
|
- "current token");
|
||
|
- }
|
||
|
if( ! (key instanceof PK11SymKey) ) {
|
||
|
throw new InvalidKeyException("Key is not a PKCS #11 key");
|
||
|
}
|
||
|
diff --git a/org/mozilla/jss/pkcs11/PK11KeyWrapper.java b/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
|
||
|
index 28840a87..eee2984d 100644
|
||
|
--- a/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
|
||
|
+++ b/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
|
||
|
@@ -168,10 +168,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
|
||
|
throw new InvalidKeyException("Key is null");
|
||
|
}
|
||
|
try {
|
||
|
- if( ! key.getOwningToken().equals(token) ) {
|
||
|
- throw new InvalidKeyException("Key does not reside on the current token: key owning token="+
|
||
|
- key.getOwningToken().getName());
|
||
|
- }
|
||
|
if( ! (key instanceof PK11SymKey) ) {
|
||
|
throw new InvalidKeyException("Key is not a PKCS #11 key");
|
||
|
}
|
||
|
@@ -196,10 +192,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
|
||
|
if( key==null ) {
|
||
|
throw new InvalidKeyException("Key is null");
|
||
|
}
|
||
|
- if( ! key.getOwningToken().equals(token) ) {
|
||
|
- throw new InvalidKeyException("Key does not reside on the "+
|
||
|
- "current token");
|
||
|
- }
|
||
|
if( ! (key instanceof PK11PrivKey) ) {
|
||
|
throw new InvalidKeyException("Key is not a PKCS #11 key");
|
||
|
}
|
||
|
@@ -299,13 +291,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
|
||
|
throw new InvalidKeyException("key to be wrapped is not a "+
|
||
|
"PKCS #11 key");
|
||
|
}
|
||
|
-/* NSS is capable of moving keys appropriately,
|
||
|
- so this call is prematurely bailing
|
||
|
- if( ! symKey.getOwningToken().equals(token) ) {
|
||
|
- throw new InvalidKeyException("key to be wrapped does not live"+
|
||
|
- " on the same token as the wrapping key");
|
||
|
- }
|
||
|
-*/
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
@@ -320,13 +305,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
|
||
|
throw new InvalidKeyException("key to be wrapped is not a "+
|
||
|
"PKCS #11 key");
|
||
|
}
|
||
|
-/* NSS is capable of moving keys appropriately,
|
||
|
- so this call is prematurely bailing
|
||
|
- if( ! privKey.getOwningToken().equals(token) ) {
|
||
|
- throw new InvalidKeyException("key to be wrapped does not live"+
|
||
|
- " on the same token as the wrapping key");
|
||
|
- }
|
||
|
-*/
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
diff --git a/org/mozilla/jss/pkcs11/PK11MessageDigest.java b/org/mozilla/jss/pkcs11/PK11MessageDigest.java
|
||
|
index cd732788..7a1a6dad 100644
|
||
|
--- a/org/mozilla/jss/pkcs11/PK11MessageDigest.java
|
||
|
+++ b/org/mozilla/jss/pkcs11/PK11MessageDigest.java
|
||
|
@@ -47,13 +47,6 @@ public final class PK11MessageDigest extends JSSMessageDigest {
|
||
|
}
|
||
|
|
||
|
hmacKey = (PK11SymKey) key;
|
||
|
-
|
||
|
- if( ! key.getOwningToken().equals(token) ) {
|
||
|
- hmacKey = null;
|
||
|
- throw new InvalidKeyException(
|
||
|
- "HMAC key does not live on the same token as this digest");
|
||
|
- }
|
||
|
-
|
||
|
this.digestProxy = initHMAC(token, alg, hmacKey);
|
||
|
}
|
||
|
|
||
|
--
|
||
|
2.25.1
|
||
|
|